Remove the few places where we try to ast_verbose() without a newline.
[asterisk/asterisk.git] / main / tcptls.c
1 /*
2  * Asterisk -- An open source telephony toolkit.
3  *
4  * Copyright (C) 2007 - 2008, Digium, Inc.
5  *
6  * Luigi Rizzo (TCP and TLS server code)
7  * Brett Bryant <brettbryant@gmail.com> (updated for client support)
8  *
9  * See http://www.asterisk.org for more information about
10  * the Asterisk project. Please do not directly contact
11  * any of the maintainers of this project for assistance;
12  * the project provides a web site, mailing lists and IRC
13  * channels for your use.
14  *
15  * This program is free software, distributed under the terms of
16  * the GNU General Public License Version 2. See the LICENSE file
17  * at the top of the source tree.
18  */
19
20 /*!
21  * \file
22  * \brief Code to support TCP and TLS server/client
23  *
24  * \author Luigi Rizzo
25  * \author Brett Bryant <brettbryant@gmail.com>
26  */
27
28 #include "asterisk.h"
29
30 ASTERISK_FILE_VERSION(__FILE__, "$Revision$")
31
32 #ifdef HAVE_FCNTL_H
33 #include <fcntl.h>
34 #endif
35
36 #include <signal.h>
37 #include <sys/signal.h>
38
39 #include "asterisk/compat.h"
40 #include "asterisk/tcptls.h"
41 #include "asterisk/http.h"
42 #include "asterisk/utils.h"
43 #include "asterisk/strings.h"
44 #include "asterisk/options.h"
45 #include "asterisk/manager.h"
46 #include "asterisk/astobj2.h"
47
48 /*! \brief
49  * replacement read/write functions for SSL support.
50  * We use wrappers rather than SSL_read/SSL_write directly so
51  * we can put in some debugging.
52  */
53
54 #ifdef DO_SSL
55 static HOOK_T ssl_read(void *cookie, char *buf, LEN_T len)
56 {
57         int i = SSL_read(cookie, buf, len-1);
58 #if 0
59         if (i >= 0) {
60                 buf[i] = '\0';
61         }
62         ast_verb(0, "ssl read size %d returns %d <%s>\n", (int)len, i, buf);
63 #endif
64         return i;
65 }
66
67 static HOOK_T ssl_write(void *cookie, const char *buf, LEN_T len)
68 {
69 #if 0
70         char *s = alloca(len+1);
71
72         strncpy(s, buf, len);
73         s[len] = '\0';
74         ast_verb(0, "ssl write size %d <%s>\n", (int)len, s);
75 #endif
76         return SSL_write(cookie, buf, len);
77 }
78
79 static int ssl_close(void *cookie)
80 {
81         int cookie_fd = SSL_get_fd(cookie);
82         int ret;
83         if (cookie_fd > -1) {
84                 /*
85                  * According to the TLS standard, it is acceptable for an application to only send its shutdown
86                  * alert and then close the underlying connection without waiting for the peer's response (this
87                  * way resources can be saved, as the process can already terminate or serve another connection).
88                  */
89                 if ((ret = SSL_shutdown(cookie)) < 0) {
90                         ast_log(LOG_ERROR, "SSL_shutdown() failed: %d\n", SSL_get_error(cookie, ret));
91                 }
92                 SSL_free(cookie);
93                 /* adding shutdown(2) here has no added benefit */
94                 if (close(cookie_fd)) {
95                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
96                 }
97         }
98         return 0;
99 }
100 #endif  /* DO_SSL */
101
102 HOOK_T ast_tcptls_server_read(struct ast_tcptls_session_instance *tcptls_session, void *buf, size_t count)
103 {
104         if (tcptls_session->fd == -1) {
105                 ast_log(LOG_ERROR, "server_read called with an fd of -1\n");
106                 errno = EIO;
107                 return -1;
108         }
109
110 #ifdef DO_SSL
111         if (tcptls_session->ssl) {
112                 return ssl_read(tcptls_session->ssl, buf, count);
113         }
114 #endif
115         return read(tcptls_session->fd, buf, count);
116 }
117
118 HOOK_T ast_tcptls_server_write(struct ast_tcptls_session_instance *tcptls_session, const void *buf, size_t count)
119 {
120         if (tcptls_session->fd == -1) {
121                 ast_log(LOG_ERROR, "server_write called with an fd of -1\n");
122                 errno = EIO;
123                 return -1;
124         }
125
126 #ifdef DO_SSL
127         if (tcptls_session->ssl) {
128                 return ssl_write(tcptls_session->ssl, buf, count);
129         }
130 #endif
131         return write(tcptls_session->fd, buf, count);
132 }
133
134 static void session_instance_destructor(void *obj)
135 {
136         struct ast_tcptls_session_instance *i = obj;
137         ast_mutex_destroy(&i->lock);
138 }
139
140 /*! \brief
141 * creates a FILE * from the fd passed by the accept thread.
142 * This operation is potentially expensive (certificate verification),
143 * so we do it in the child thread context.
144 *
145 * \note must decrement ref count before returning NULL on error
146 */
147 static void *handle_tcptls_connection(void *data)
148 {
149         struct ast_tcptls_session_instance *tcptls_session = data;
150 #ifdef DO_SSL
151         int (*ssl_setup)(SSL *) = (tcptls_session->client) ? SSL_connect : SSL_accept;
152         int ret;
153         char err[256];
154 #endif
155
156         /*
157         * open a FILE * as appropriate.
158         */
159         if (!tcptls_session->parent->tls_cfg) {
160                 if ((tcptls_session->f = fdopen(tcptls_session->fd, "w+"))) {
161                         if(setvbuf(tcptls_session->f, NULL, _IONBF, 0)) {
162                                 ast_tcptls_close_session_file(tcptls_session);
163                         }
164                 }
165         }
166 #ifdef DO_SSL
167         else if ( (tcptls_session->ssl = SSL_new(tcptls_session->parent->tls_cfg->ssl_ctx)) ) {
168                 SSL_set_fd(tcptls_session->ssl, tcptls_session->fd);
169                 if ((ret = ssl_setup(tcptls_session->ssl)) <= 0) {
170                         ast_verb(2, "Problem setting up ssl connection: %s\n", ERR_error_string(ERR_get_error(), err));
171                 } else {
172 #if defined(HAVE_FUNOPEN)       /* the BSD interface */
173                         tcptls_session->f = funopen(tcptls_session->ssl, ssl_read, ssl_write, NULL, ssl_close);
174
175 #elif defined(HAVE_FOPENCOOKIE) /* the glibc/linux interface */
176                         static const cookie_io_functions_t cookie_funcs = {
177                                 ssl_read, ssl_write, NULL, ssl_close
178                         };
179                         tcptls_session->f = fopencookie(tcptls_session->ssl, "w+", cookie_funcs);
180 #else
181                         /* could add other methods here */
182                         ast_debug(2, "no tcptls_session->f methods attempted!");
183 #endif
184                         if ((tcptls_session->client && !ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_DONT_VERIFY_SERVER))
185                                 || (!tcptls_session->client && ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_VERIFY_CLIENT))) {
186                                 X509 *peer;
187                                 long res;
188                                 peer = SSL_get_peer_certificate(tcptls_session->ssl);
189                                 if (!peer) {
190                                         ast_log(LOG_WARNING, "No peer SSL certificate\n");
191                                 }
192                                 res = SSL_get_verify_result(tcptls_session->ssl);
193                                 if (res != X509_V_OK) {
194                                         ast_log(LOG_ERROR, "Certificate did not verify: %s\n", X509_verify_cert_error_string(res));
195                                 }
196                                 if (!ast_test_flag(&tcptls_session->parent->tls_cfg->flags, AST_SSL_IGNORE_COMMON_NAME)) {
197                                         ASN1_STRING *str;
198                                         unsigned char *str2;
199                                         X509_NAME *name = X509_get_subject_name(peer);
200                                         int pos = -1;
201                                         int found = 0;
202
203                                         for (;;) {
204                                                 /* Walk the certificate to check all available "Common Name" */
205                                                 /* XXX Probably should do a gethostbyname on the hostname and compare that as well */
206                                                 pos = X509_NAME_get_index_by_NID(name, NID_commonName, pos);
207                                                 if (pos < 0) {
208                                                         break;
209                                                 }
210                                                 str = X509_NAME_ENTRY_get_data(X509_NAME_get_entry(name, pos));
211                                                 ASN1_STRING_to_UTF8(&str2, str);
212                                                 if (str2) {
213                                                         if (!strcasecmp(tcptls_session->parent->hostname, (char *) str2)) {
214                                                                 found = 1;
215                                                         }
216                                                         ast_debug(3, "SSL Common Name compare s1='%s' s2='%s'\n", tcptls_session->parent->hostname, str2);
217                                                         OPENSSL_free(str2);
218                                                 }
219                                                 if (found) {
220                                                         break;
221                                                 }
222                                         }
223                                         if (!found) {
224                                                 ast_log(LOG_ERROR, "Certificate common name did not match (%s)\n", tcptls_session->parent->hostname);
225                                                 if (peer) {
226                                                         X509_free(peer);
227                                                 }
228                                                 ast_tcptls_close_session_file(tcptls_session);
229                                                 ao2_ref(tcptls_session, -1);
230                                                 return NULL;
231                                         }
232                                 }
233                                 if (peer) {
234                                         X509_free(peer);
235                                 }
236                         }
237                 }
238                 if (!tcptls_session->f) {       /* no success opening descriptor stacking */
239                         SSL_free(tcptls_session->ssl);
240                 }
241         }
242 #endif /* DO_SSL */
243
244         if (!tcptls_session->f) {
245                 ast_tcptls_close_session_file(tcptls_session);
246                 ast_log(LOG_WARNING, "FILE * open failed!\n");
247 #ifndef DO_SSL
248                 if (tcptls_session->parent->tls_cfg) {
249                         ast_log(LOG_WARNING, "Attempted a TLS connection without OpenSSL support. This will not work!\n");
250                 }
251 #endif
252                 ao2_ref(tcptls_session, -1);
253                 return NULL;
254         }
255
256         if (tcptls_session && tcptls_session->parent->worker_fn) {
257                 return tcptls_session->parent->worker_fn(tcptls_session);
258         } else {
259                 return tcptls_session;
260         }
261 }
262
263 void *ast_tcptls_server_root(void *data)
264 {
265         struct ast_tcptls_session_args *desc = data;
266         int fd;
267         struct ast_sockaddr addr;
268         struct ast_tcptls_session_instance *tcptls_session;
269         pthread_t launched;
270
271         for (;;) {
272                 int i, flags;
273
274                 if (desc->periodic_fn) {
275                         desc->periodic_fn(desc);
276                 }
277                 i = ast_wait_for_input(desc->accept_fd, desc->poll_timeout);
278                 if (i <= 0) {
279                         continue;
280                 }
281                 fd = ast_accept(desc->accept_fd, &addr);
282                 if (fd < 0) {
283                         if ((errno != EAGAIN) && (errno != EINTR)) {
284                                 ast_log(LOG_WARNING, "Accept failed: %s\n", strerror(errno));
285                         }
286                         continue;
287                 }
288                 tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor);
289                 if (!tcptls_session) {
290                         ast_log(LOG_WARNING, "No memory for new session: %s\n", strerror(errno));
291                         if (close(fd)) {
292                                 ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
293                         }
294                         continue;
295                 }
296
297                 ast_mutex_init(&tcptls_session->lock);
298
299                 flags = fcntl(fd, F_GETFL);
300                 fcntl(fd, F_SETFL, flags & ~O_NONBLOCK);
301                 tcptls_session->fd = fd;
302                 tcptls_session->parent = desc;
303                 ast_sockaddr_copy(&tcptls_session->remote_address, &addr);
304
305                 tcptls_session->client = 0;
306
307                 /* This thread is now the only place that controls the single ref to tcptls_session */
308                 if (ast_pthread_create_detached_background(&launched, NULL, handle_tcptls_connection, tcptls_session)) {
309                         ast_log(LOG_WARNING, "Unable to launch helper thread: %s\n", strerror(errno));
310                         ast_tcptls_close_session_file(tcptls_session);
311                         ao2_ref(tcptls_session, -1);
312                 }
313         }
314         return NULL;
315 }
316
317 static int __ssl_setup(struct ast_tls_config *cfg, int client)
318 {
319 #ifndef DO_SSL
320         cfg->enabled = 0;
321         return 0;
322 #else
323         if (!cfg->enabled) {
324                 return 0;
325         }
326
327         SSL_load_error_strings();
328         SSLeay_add_ssl_algorithms();
329
330         if (client) {
331 #ifndef OPENSSL_NO_SSL2
332                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV2_CLIENT)) {
333                         cfg->ssl_ctx = SSL_CTX_new(SSLv2_client_method());
334                 } else
335 #endif
336                 if (ast_test_flag(&cfg->flags, AST_SSL_SSLV3_CLIENT)) {
337                         cfg->ssl_ctx = SSL_CTX_new(SSLv3_client_method());
338                 } else if (ast_test_flag(&cfg->flags, AST_SSL_TLSV1_CLIENT)) {
339                         cfg->ssl_ctx = SSL_CTX_new(TLSv1_client_method());
340                 } else {
341                         /* SSLv23_client_method() sends SSLv2, this was the original
342                          * default for ssl clients before the option was given to
343                          * pick what protocol a client should use.  In order not
344                          * to break expected behavior it remains the default. */
345                         cfg->ssl_ctx = SSL_CTX_new(SSLv23_client_method());
346                 }
347         } else {
348                 /* SSLv23_server_method() supports TLSv1, SSLv2, and SSLv3 inbound connections. */
349                 cfg->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
350         }
351
352         if (!cfg->ssl_ctx) {
353                 ast_debug(1, "Sorry, SSL_CTX_new call returned null...\n");
354                 cfg->enabled = 0;
355                 return 0;
356         }
357         if (!ast_strlen_zero(cfg->certfile)) {
358                 char *tmpprivate = ast_strlen_zero(cfg->pvtfile) ? cfg->certfile : cfg->pvtfile;
359                 if (SSL_CTX_use_certificate_file(cfg->ssl_ctx, cfg->certfile, SSL_FILETYPE_PEM) == 0) {
360                         if (!client) {
361                                 /* Clients don't need a certificate, but if its setup we can use it */
362                                 ast_verb(0, "SSL error loading cert file. <%s>\n", cfg->certfile);
363                                 sleep(2);
364                                 cfg->enabled = 0;
365                                 return 0;
366                         }
367                 }
368                 if ((SSL_CTX_use_PrivateKey_file(cfg->ssl_ctx, tmpprivate, SSL_FILETYPE_PEM) == 0) || (SSL_CTX_check_private_key(cfg->ssl_ctx) == 0 )) {
369                         if (!client) {
370                                 /* Clients don't need a private key, but if its setup we can use it */
371                                 ast_verb(0, "SSL error loading private key file. <%s>\n", tmpprivate);
372                                 sleep(2);
373                                 cfg->enabled = 0;
374                                 return 0;
375                         }
376                 }
377         }
378         if (!ast_strlen_zero(cfg->cipher)) {
379                 if (SSL_CTX_set_cipher_list(cfg->ssl_ctx, cfg->cipher) == 0 ) {
380                         if (!client) {
381                                 ast_verb(0, "SSL cipher error <%s>\n", cfg->cipher);
382                                 sleep(2);
383                                 cfg->enabled = 0;
384                                 return 0;
385                         }
386                 }
387         }
388         if (!ast_strlen_zero(cfg->cafile) || !ast_strlen_zero(cfg->capath)) {
389                 if (SSL_CTX_load_verify_locations(cfg->ssl_ctx, S_OR(cfg->cafile, NULL), S_OR(cfg->capath,NULL)) == 0) {
390                         ast_verb(0, "SSL CA file(%s)/path(%s) error\n", cfg->cafile, cfg->capath);
391                 }
392         }
393
394         ast_verb(0, "SSL certificate ok\n");
395         return 1;
396 #endif
397 }
398
399 int ast_ssl_setup(struct ast_tls_config *cfg)
400 {
401         return __ssl_setup(cfg, 0);
402 }
403
404 struct ast_tcptls_session_instance *ast_tcptls_client_start(struct ast_tcptls_session_instance *tcptls_session)
405 {
406         struct ast_tcptls_session_args *desc;
407         int flags;
408
409         if (!(desc = tcptls_session->parent)) {
410                 goto client_start_error;
411         }
412
413         if (ast_connect(desc->accept_fd, &desc->remote_address)) {
414                 ast_log(LOG_ERROR, "Unable to connect %s to %s: %s\n",
415                         desc->name,
416                         ast_sockaddr_stringify(&desc->remote_address),
417                         strerror(errno));
418                 goto client_start_error;
419         }
420
421         flags = fcntl(desc->accept_fd, F_GETFL);
422         fcntl(desc->accept_fd, F_SETFL, flags & ~O_NONBLOCK);
423
424         if (desc->tls_cfg) {
425                 desc->tls_cfg->enabled = 1;
426                 __ssl_setup(desc->tls_cfg, 1);
427         }
428
429         return handle_tcptls_connection(tcptls_session);
430
431 client_start_error:
432         close(desc->accept_fd);
433         desc->accept_fd = -1;
434         if (tcptls_session) {
435                 ao2_ref(tcptls_session, -1);
436         }
437         return NULL;
438
439 }
440
441 struct ast_tcptls_session_instance *ast_tcptls_client_create(struct ast_tcptls_session_args *desc)
442 {
443         int x = 1;
444         struct ast_tcptls_session_instance *tcptls_session = NULL;
445
446         /* Do nothing if nothing has changed */
447         if (!ast_sockaddr_cmp(&desc->old_address, &desc->remote_address)) {
448                 ast_debug(1, "Nothing changed in %s\n", desc->name);
449                 return NULL;
450         }
451
452         /* If we return early, there is no connection */
453         ast_sockaddr_setnull(&desc->old_address);
454
455         if (desc->accept_fd != -1) {
456                 close(desc->accept_fd);
457         }
458
459         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->remote_address) ?
460                                  AF_INET6 : AF_INET, SOCK_STREAM, IPPROTO_TCP);
461         if (desc->accept_fd < 0) {
462                 ast_log(LOG_WARNING, "Unable to allocate socket for %s: %s\n",
463                         desc->name, strerror(errno));
464                 return NULL;
465         }
466
467         /* if a local address was specified, bind to it so the connection will
468            originate from the desired address */
469         if (!ast_sockaddr_isnull(&desc->local_address)) {
470                 setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
471                 if (ast_bind(desc->accept_fd, &desc->local_address)) {
472                         ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
473                                 desc->name,
474                                 ast_sockaddr_stringify(&desc->local_address),
475                                 strerror(errno));
476                         goto error;
477                 }
478         }
479
480         if (!(tcptls_session = ao2_alloc(sizeof(*tcptls_session), session_instance_destructor))) {
481                 goto error;
482         }
483
484         ast_mutex_init(&tcptls_session->lock);
485         tcptls_session->client = 1;
486         tcptls_session->fd = desc->accept_fd;
487         tcptls_session->parent = desc;
488         tcptls_session->parent->worker_fn = NULL;
489         ast_sockaddr_copy(&tcptls_session->remote_address,
490                           &desc->remote_address);
491
492         /* Set current info */
493         ast_sockaddr_copy(&desc->old_address, &desc->remote_address);
494         return tcptls_session;
495
496 error:
497         close(desc->accept_fd);
498         desc->accept_fd = -1;
499         if (tcptls_session) {
500                 ao2_ref(tcptls_session, -1);
501         }
502         return NULL;
503 }
504
505 void ast_tcptls_server_start(struct ast_tcptls_session_args *desc)
506 {
507         int flags;
508         int x = 1;
509
510         /* Do nothing if nothing has changed */
511         if (!ast_sockaddr_cmp(&desc->old_address, &desc->local_address)) {
512                 ast_debug(1, "Nothing changed in %s\n", desc->name);
513                 return;
514         }
515
516         /* If we return early, there is no one listening */
517         ast_sockaddr_setnull(&desc->old_address);
518
519         /* Shutdown a running server if there is one */
520         if (desc->master != AST_PTHREADT_NULL) {
521                 pthread_cancel(desc->master);
522                 pthread_kill(desc->master, SIGURG);
523                 pthread_join(desc->master, NULL);
524         }
525
526         if (desc->accept_fd != -1) {
527                 close(desc->accept_fd);
528         }
529
530         /* If there's no new server, stop here */
531         if (ast_sockaddr_isnull(&desc->local_address)) {
532                 ast_debug(2, "Server disabled:  %s\n", desc->name);
533                 return;
534         }
535
536         desc->accept_fd = socket(ast_sockaddr_is_ipv6(&desc->local_address) ?
537                                  AF_INET6 : AF_INET, SOCK_STREAM, 0);
538         if (desc->accept_fd < 0) {
539                 ast_log(LOG_ERROR, "Unable to allocate socket for %s: %s\n", desc->name, strerror(errno));
540                 return;
541         }
542
543         setsockopt(desc->accept_fd, SOL_SOCKET, SO_REUSEADDR, &x, sizeof(x));
544         if (ast_bind(desc->accept_fd, &desc->local_address)) {
545                 ast_log(LOG_ERROR, "Unable to bind %s to %s: %s\n",
546                         desc->name,
547                         ast_sockaddr_stringify(&desc->local_address),
548                         strerror(errno));
549                 goto error;
550         }
551         if (listen(desc->accept_fd, 10)) {
552                 ast_log(LOG_ERROR, "Unable to listen for %s!\n", desc->name);
553                 goto error;
554         }
555         flags = fcntl(desc->accept_fd, F_GETFL);
556         fcntl(desc->accept_fd, F_SETFL, flags | O_NONBLOCK);
557         if (ast_pthread_create_background(&desc->master, NULL, desc->accept_fn, desc)) {
558                 ast_log(LOG_ERROR, "Unable to launch thread for %s on %s: %s\n",
559                         desc->name,
560                         ast_sockaddr_stringify(&desc->local_address),
561                         strerror(errno));
562                 goto error;
563         }
564
565         /* Set current info */
566         ast_sockaddr_copy(&desc->old_address, &desc->local_address);
567
568         return;
569
570 error:
571         close(desc->accept_fd);
572         desc->accept_fd = -1;
573 }
574
575 void ast_tcptls_close_session_file(struct ast_tcptls_session_instance *tcptls_session)
576 {
577         if (tcptls_session->f) {
578                 if (fclose(tcptls_session->f)) {
579                         ast_log(LOG_ERROR, "fclose() failed: %s\n", strerror(errno));
580                 }
581                 tcptls_session->f = NULL;
582                 tcptls_session->fd = -1;
583         } else if (tcptls_session->fd != -1) {
584                 if (close(tcptls_session->fd)) {
585                         ast_log(LOG_ERROR, "close() failed: %s\n", strerror(errno));
586                 }
587                 tcptls_session->fd = -1;
588         } else {
589                 ast_log(LOG_ERROR, "ast_tcptls_close_session_file invoked on session instance without file or file descriptor\n");
590         }
591 }
592
593 void ast_tcptls_server_stop(struct ast_tcptls_session_args *desc)
594 {
595         if (desc->master != AST_PTHREADT_NULL) {
596                 pthread_cancel(desc->master);
597                 pthread_kill(desc->master, SIGURG);
598                 pthread_join(desc->master, NULL);
599                 desc->master = AST_PTHREADT_NULL;
600         }
601         if (desc->accept_fd != -1) {
602                 close(desc->accept_fd);
603         }
604         desc->accept_fd = -1;
605         ast_debug(2, "Stopped server :: %s\n", desc->name);
606 }
607
608 int ast_tls_read_conf(struct ast_tls_config *tls_cfg, struct ast_tcptls_session_args *tls_desc, const char *varname, const char *value)
609 {
610         if (!strcasecmp(varname, "tlsenable") || !strcasecmp(varname, "sslenable")) {
611                 tls_cfg->enabled = ast_true(value) ? 1 : 0;
612         } else if (!strcasecmp(varname, "tlscertfile") || !strcasecmp(varname, "sslcert") || !strcasecmp(varname, "tlscert")) {
613                 ast_free(tls_cfg->certfile);
614                 tls_cfg->certfile = ast_strdup(value);
615         } else if (!strcasecmp(varname, "tlsprivatekey") || !strcasecmp(varname, "sslprivatekey")) {
616                 ast_free(tls_cfg->pvtfile);
617                 tls_cfg->pvtfile = ast_strdup(value);
618         } else if (!strcasecmp(varname, "tlscipher") || !strcasecmp(varname, "sslcipher")) {
619                 ast_free(tls_cfg->cipher);
620                 tls_cfg->cipher = ast_strdup(value);
621         } else if (!strcasecmp(varname, "tlscafile")) {
622                 ast_free(tls_cfg->cafile);
623                 tls_cfg->cafile = ast_strdup(value);
624         } else if (!strcasecmp(varname, "tlscapath") || !strcasecmp(varname, "tlscadir")) {
625                 ast_free(tls_cfg->capath);
626                 tls_cfg->capath = ast_strdup(value);
627         } else if (!strcasecmp(varname, "tlsverifyclient")) {
628                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_VERIFY_CLIENT);
629         } else if (!strcasecmp(varname, "tlsdontverifyserver")) {
630                 ast_set2_flag(&tls_cfg->flags, ast_true(value), AST_SSL_DONT_VERIFY_SERVER);
631         } else if (!strcasecmp(varname, "tlsbindaddr") || !strcasecmp(varname, "sslbindaddr")) {
632                 if (ast_parse_arg(value, PARSE_ADDR, &tls_desc->local_address))
633                         ast_log(LOG_WARNING, "Invalid %s '%s'\n", varname, value);
634         } else if (!strcasecmp(varname, "tlsclientmethod") || !strcasecmp(varname, "sslclientmethod")) {
635                 if (!strcasecmp(value, "tlsv1")) {
636                         ast_set_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
637                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
638                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
639                 } else if (!strcasecmp(value, "sslv3")) {
640                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
641                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
642                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
643                 } else if (!strcasecmp(value, "sslv2")) {
644                         ast_set_flag(&tls_cfg->flags, AST_SSL_SSLV2_CLIENT);
645                         ast_clear_flag(&tls_cfg->flags, AST_SSL_TLSV1_CLIENT);
646                         ast_clear_flag(&tls_cfg->flags, AST_SSL_SSLV3_CLIENT);
647                 }
648         } else {
649                 return -1;
650         }
651
652         return 0;
653 }